CVE-2022-50743
Description
In the Linux kernel, the following vulnerability has been resolved:
erofs: Fix pcluster memleak when its block address is zero
syzkaller reported a memleak: https://syzkaller.appspot.com/bug?id=62f37ff612f0021641eda5b17f056f1668aa9aed
unreferenced object 0xffff88811009c7f8 (size 136): ... backtrace: [] z_erofs_do_read_page+0x99b/0x1740 [] z_erofs_readahead+0x24e/0x580 [] read_pages+0x86/0x3d0 ...
syzkaller constructed a case: in z_erofs_register_pcluster(), ztailpacking = false and map->m_pa = zero. This makes pcl->obj.index be zero although pcl is not a inline pcluster.
Then following path adds refcount for grp, but the refcount won't be put because pcl is inline.
z_erofs_readahead() z_erofs_do_read_page() # for another page z_erofs_collector_begin() erofs_find_workgroup() erofs_workgroup_get()
Since it's illegal for the block address of a non-inlined pcluster to be zero, add check here to avoid registering the pcluster which would be leaked.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A memory leak in the Linux kernel's erofs filesystem occurs when a non-inline pcluster is registered with a zero block address.
Vulnerability
In the Linux kernel's erofs filesystem, a memory leak vulnerability exists in the pcluster (page cluster) management code. The function z_erofs_register_pcluster() can register a pcluster as non-inline (ztailpacking = false) but with a block address of zero (map->m_pa = zero). This causes the pcluster's index to be zero, incorrectly marking it as inline even though it is not. Subsequent operations in z_erofs_do_read_page() and z_erofs_readahead() then increment the reference count for the workgroup associated with this pcluster, but the reference is never decremented because the pcluster is treated as inline [1].
Exploitation
An attacker can trigger this condition by constructing a malicious erofs image that satisfies the syzkaller reproducer: a scenario where a non-inline pcluster has a zero block address. This leads to the memory leak as described. The vulnerability is triggered during filesystem access operations (readahead (such as reading or readahead) when the kernel attempts to process the crafted image. No special privileges beyond mounting the crafted filesystem are required for the leak to occur [1].
Impact
Successfully exploiting this vulnerability causes a memory leak. Each trigger of the code path leaks a pcluster structure (136 bytes) that is never freed. Repeated exploitation can exhaust memory, potentially resulting in a denial of service (DoS) condition. The leak is detectable via kernel memory debugging tools such as kmemleak [1].
Mitigation
The fix is included in the Linux kernel commit c42c0ffe81176940bd5dead474216b7198d77675, which adds a check to reject pclusters with a block address of zero when they are not inline, preventing the registration of such misconfigured pclusters and thus eliminating the leak. Users should apply the latest stable kernel updates that contain this patch [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
3ac54c1f7b288618e712b99c7c42c0ffe8117Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.